This Week in Cyber 26th July 2024

Analyst Insight: Evolving Cyber Threats and Security Incidents

Recent cyber security updates reveal significant shifts in threat landscapes. A CrowdStrike update mishap has led to malware distribution through the Remcos RAT, illustrating the dangers of system disruptions. The ConfusedFunction vulnerability in Google Cloud Platform’s Cloud Functions highlights risks in cloud environments, allowing unauthorised access to sensitive data. The Telegram app flaw, EvilVideo, demonstrates how zero-day vulnerabilities can be exploited to deliver malware disguised as multimedia files.

Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware

Cyber security firm CrowdStrike, which is under scrutiny for causing global IT disruptions due to a flawed update, has issued a warning that threat actors are exploiting the situation to distribute Remcos RAT malware in Latin America. Attackers are distributing a ZIP archive named "crowdstrike-hotfix.zip," containing a malware loader that launches the Remcos RAT payload. The archive includes Spanish-language instructions urging targets to run an executable file to recover from the issue.

Malicious actors have quickly taken advantage of the chaos, setting up typosquatting domains impersonating CrowdStrike and offering services to affected companies in exchange for cryptocurrency payments. CrowdStrike and Microsoft, which is helping with remediation efforts, reported that the incident affected 8.5 million Windows devices globally. Impacted customers are advised to ensure they communicate with CrowdStrike representatives through official channels and follow the technical guidance provided by the support teams.

Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform

Cyber security researchers have disclosed a significant privilege escalation vulnerability in Google Cloud Platform's Cloud Functions service, named ConfusedFunction by Tenable. This flaw could allow attackers to escalate their privileges to the Default Cloud Build Service Account, providing unauthorised access to various services such as Cloud Build, storage, artefact registry, and container registry. This access enables lateral movement and further privilege escalation within a victim's project, potentially leading to unauthorised data access, modification, or deletion.

The vulnerability arises because a Cloud Build service account is automatically created and linked to a Cloud Build instance when a Cloud Function is created or updated. Due to its excessive permissions, an attacker with access to create or update a Cloud Function can exploit this account to gain broader access to other Google Cloud services. Although Google has updated the default behaviour to mitigate this risk for new instances, existing instances remain vulnerable.

Telegram App Flaw Exploited to Spread Malware Hidden in Videos

A zero-day security flaw in Telegram's mobile app for Android, named EvilVideo, has been exploited by attackers to distribute malicious files disguised as videos. Discovered by ESET and disclosed on June 26, the vulnerability allowed attackers to share malicious Android payloads through Telegram channels, groups, and chats, making them appear as multimedia files. The payloads, crafted using Telegram's API, camouflaged a malicious APK file as a 30-second video. Upon clicking, users were prompted to play the video using an external player, which then led to the installation of the malicious APK named after an adult website. This issue was patched by Telegram in version 10.14.5 on July 11.

The attack particularly targeted Latin America-based Telegram users, leveraging Spanish-language instructions in the malicious ZIP archive. Users who opened the video would automatically download the malicious payload due to Telegram's default settings. Although the exploit did not affect Telegram's web or Windows clients, it highlighted the platform's vulnerability

Patchwork Hackers Target Bhutan with Advanced Brute Ratel C4 Tool

The cyber threat actor known as Patchwork has launched an attack targeting entities tied to Bhutan, utilising the sophisticated Brute Ratel C4 framework and an updated version of the backdoor PGoShell. This marks the first time Patchwork has employed the Brute Ratel C4 tool, as reported by the Knownsec 404 Team.

Patchwork, also identified as APT-C-09, Dropping Elephant, and Viceroy Tiger, is believed to be a state-sponsored group of Indian origin, active since at least 2009. The latest attack involves a Windows shortcut (LNK) file that downloads a decoy PDF from a domain mimicking the UNFCCC-backed Adaptation Fund while stealthily deploying Brute Ratel C4 and PGoShell. Developed in Go, PGoShell offers functionalities like remote shell access and screen capture. 

APT45 Shifts from Cyber Espionage to Ransomware Attacks

A well-known threat actor has shifted its focus from cyber espionage to financially-motivated ransomware attacks. Mandiant, a Google-owned company, tracks this group under the name APT45. Historically targeting critical infrastructure, APT45 has now been linked to deploying ransomware families such as SHATTEREDGLASS and Maui, targeting various countries in recent years. Their activities highlight a move from traditional espionage to sectors like healthcare and crop science, reflecting changing priorities.